Summary

Virus Name

Variants

Description

W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide back door access to a remote attacker.

Based on the samples collected from a research organization based in Europe, the malware shares source code similarities with W32/Stuxnet-B, documented in Alert 20915.† Reports suggest that W32.Duqu has been programmed with the intent of information gathering only, suggesting that it could be a precursor to forthcoming advanced attacks.† The malicious software could gather the following information:

Screenshots

Keypresses

Open Window names

Enumerated file information from shared, removable and all connected drives

System network and domain information

Lists of running processes, account details

W32.Duqu primarily consists of a driver file that is functionally equivalent with W32/Stuxnet-B, a DLL containing multiple embedded files, a configuration file, and a dropper program that installs these files on a targeted system.

The trojan communicates with its command and control center over HTTP and HTTPS protocols.† Server Message Block (SMB) command and control channel functionality has also been implemented that could also be used for communications.

Impact

W32.Duqu attempts to log user keystrokes, take screenshots at regular intervals, and other system related information such as a list of running processes, account details, and domain information, and network information.† Additionally, the malicious software could also log drive names and other shared or removable drive information, open window names, and directory information from all drives.† The malicious software may also initiate remote application download and act as a remote access trojan, granting back door access to an unauthorized, remote attacker.

Warning Indicators

On systems running Microsoft Windows, the presence of the following files and registry key modification may indicate an infection:

Presence of .tmp files in the %Temp% folder, prefixed with file name ~DQ could also indicate the presence of this trojan.

W32.Duqu could also try to perform a DNS lookup on the following domain: kasperskychk.dyndns.org

Personal firewall applications may display a notification message when W32.Duqu attempts to connect to the Internet to pass information to a remote attacker.

Host intrusion detection and prevention system software may display a notification when the trojan attempts to connect to the Internet to post information or download updates.

Technical Information

W32.Duqu primarily consists of a driver file that is functionally equivalent with W32/Stuxnet-B, a DLL containing multiple embedded files, a configuration file, and a dropper program that installs these files on a targeted system.

On execution, the installer registers the driver file (JMINET7.SYS/CMI4432.SYS) as a service so that the driver is executed at system startup.

The driver then injects the main DLL (NETP191.PNF/CMI4432.PNF) into a specified process, typically services.exe.† This process name and the DLL file path are retrieved from the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3\FILTER

The data stored within the registry subkeys are encrypted with a custom multiplication rolling key algorithm and are decoded using the encryption_key field contained.††By default, the process to be injected into is services.exe.† In addition to the above, the driver also verifies if the system not in Safe Mode and checks for the presence of process debuggers.

Subsequently, the main DLL (NETP191.PNF/CMI4432.PNF) begins execution by extracting certain other components.† These components are further injected into processes such as Explorer.exe, IExplore.exe and Firefox.exe.

An additional executable that acts as the main information stealer then could be downloaded by the trojan.

W32.Duqu is designed to remove itself after a period of 36 days.

Analysis

W32.Duqu shares a large amount of code with W32/Stuxnet-B, suggesting that they were created by someone having access to the W32/Stuxnet-B source code. However, instead of sabotaging Supervisory Control And Data Acquisition (SCADA) and Industrial Control Systems (ICS), W32.Duqu appears to enable remote access and information-stealing capabilities.

To evade IPS and IDS detection and mask malicious communication between the command and control center, the trojan could upload and download random .jpg files.

The trojan also implements a driver file signed with a valid digital certificate that expires on August 2, 2012, that belongs to a company in Taipei, Taiwan. This certificate was revoked on October 14, 2011.

Reports indicate that this trojan leverages a 0-day vulnerability within the Microsoft Windows platform, documented in Alert 24500, to install itself on the targeted system via Microsoft Word (.doc) files.

A Command and Control server, that uses a peer-to-peer protocol for communication with clients installed on infected systems, was found to be located in Belgium. The server has an IP address of 77.241.93.160; however it has been currently disabled by the service provider.

Rule-based and application-based firewalls are likely to prevent or limit the impact of this trojan. Rule-based firewalls are typically set up by an administrator for an entire network. These firewalls are often set up to block all traffic entering and exiting a network except traffic traveling through ports needed for production. Application-based firewalls are often found on client systems and can be configured to allow certain services and process to access the Internet or local network. These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network. Both types of firewalls may prevent malicious code from downloading updates or additional files. The firewalls may also prevent the malicious code from contacting an attacker or website and from accessing local network resources.

Most host intrusion detection/prevention system software, such as Cisco Security Agent, can be configured to warn users when suspicious activity occurs on their systems. This software can be configured to prevent this trojan from attempting to execute their infection routines. Host intrusion detection/prevention system software may also be configured to prompt a user when suspicious activity occurs. Often users can choose whether to allow or deny the activity in question. These factors will limit the infection rate and impact on most systems.

Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network. User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.

Safeguards

Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.

Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.

Block all file attachments except those that are specifically required for business purposes.

Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.

Provide initial and continuing education to all levels of users throughout the organization.

Patches/Fixed Software

The Symantec Security Response for W32.Duqu is available at the following link: Security Response.† The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec

The F-Secure Virus Description for W32.Duqu is available at the following link: Virus Description

Action Links for This Alert

Signatures

Revision History

Version

Description

Section

Date

3

IntelliShield has updated this alert to include information about a 0-day vulnerability in the Microsoft Windows platform that the W32.Duqu trojan could leverage to infect a targeted system. ICS-CERT has also released a security alert with additional information regarding this trojan.

2011-November-02 15:08 GMT

2

Intellishield has updated this alert to include information about a companion document released by the Cisco Applied Intelligence team.

2011-October-25 17:44 GMT

1

W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide back door access to a remote attacker.† Virus definitions are available.

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products

Cisco Threat Outbreak Alerts address spam and phishing campaigns that attempt to collect sensitive information or spread malicious software by using email attachments or by directing users to malicious sites. These alerts document threats that are active in the wild and provide SenderBase RuleIDs for mitigations; sample email messages; and names, sizes, and MD5 hashes of files.